This is the meat of the report. Break it down by machine/assignment. Discovery: How you found the bug in the source code.
Ensure your screenshot clearly shows the local.txt or proof.txt flags and the ipconfig or ifconfig output.
Use the first few hours of your reporting window to sleep. A well-rested brain catches typos and missing steps that a sleep-deprived one ignores.
A brief note on how you approached the white-box analysis.
Provide clear, actionable advice on how the developers can fix the code. Don't just say "sanitize input"—provide a code example of a secure implementation. 5. Tips for Success
Exploitation: How you bypassed filters or security controls.
Visual proof of every major step, especially the final "proof of concept" (PoC) showing the flag. 3. Automating the Exploit
Many students underestimate this final stage, but in the world of OffSec, the report is just as critical as the exploit itself. Here is everything you need to know to craft a passing report. 1. Why the Report Matters